Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Using SAML for login vs F5 Login Page, but need the password for SSO profiles

I have a scenario where we are using SAML as our first point vs a F5 login page, see APM policy below.

Image Text

The way this works is the user is re-directed to our SAML provider for authentication and if successful, allowed to pass along. The SAML Auth uses an AAA server which is a SP/IdP setup on the F5.

The issue I have is I am not able to use SSO profiles to auto login to apps hosted via the webtop because I do not have a password variable. (I am able to get domain and user)

This maybe a question for the SAML provider, but I am curious if there is a way to capture the password back from the SAML provider?

I understand this defeats the purpose of SAML in this case as the hole idea is not to send passwords but tokens.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Well, yes, SAML and the whole concept of federation are meant to reduce the need for passwords, but your use case, unfortunately, is still valid, as not all applications can use SAML. In your case there are three options:

  1. If backend application supports Kerberos for authentication, you can leverage Kerberos Constrained Delegation to perform passwordless SSO
  2. If the application supports the ability to extract user identity from a header, you might be able to modify it to trust the username from the header that APM would insert after authenticating the user
  3. You can use a SAML IDP(and F5 is one of very few, if not the only one that I can do it) which will allow you to pass the password as the attribute in the SAML assertion. It is secure because you would encrypt that attribute and thus only SP will be able to decrypt it and use it for SSO.
0
Comments on this Answer
Comment made 23-Sep-2016 by Rusty M 59

Thanks Michael!

Can you clarify #3? I think you are referring to using F5 as the IDP vs a redirect to the actual SAML sever/SP. If that is the case I believe you have to use the F5 login page which is what we are trying to avoid. By using the page users that are on network would have to login vs being auto logged in as they are on a trusted network and trusted device.

0
Comment made 23-Sep-2016 by Michael Koyfman 2088

No, I was saying that if F5 was an IDP(F5 can perform both roles - IDP and SP), then it could take user's password and securely encrypt it and pass to another SP as an attribute in the SAML assertion. The question is whether you control IDP or not - if IDP you're using is within your domain of control, you can consider whether you can deploy F5 in the IDP role instead of what you're using to accomplish your SSO goal.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Michael,

I have the same requirement. My IdP is on premise and I am able to send the password attribute in SAML assertion to F5 IdP but cant pass it to the backend app that requires NTLM/forms authentication. The question is how do I extract the password from the attribute and use it as session.logon.last.password? Tried to work with this iRule but didnt work.

when ACCESS_ACL_ALLOWED {

        set username [ACCESS::session data get session.saml.last.identity]
        set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]]        
}
when ACCESS_SESSION_STARTED {
    if { [ info exists username ] } {
        ACCESS::session data set session.logon.last.username $username
    }
        if { [info exists password] } {
        ACCESS::session data set secure session.logon.last.password $password
    }
}

My policy looks like this:

Start --> SAML Auth --> SSO Credential Mapping.

0
Comments on this Answer
Comment made 14-Sep-2017 by Rusty M 59

Hey Pushpendu, This is not possible the attribute "login.last.password" does not get populated when SAML is used as it does defeat the reason to use SAML auth.

The only way to accomplish this would be to use forms based via f5 page then add a SSO profile to each application in the portal passing the username and password for the different types of authentication required by the individual apps.

0
Comment made 14-Sep-2017 by pponte 145

Hello,

We are using our APM like an SP. User authenticates via SAML (Federate). We receive a session variable (session.saml.last.attr.name.memberOf) where we check the groups the user belongs to, and assign some resources. To make SSO works, we created an entry on Access Policy > SSO Configuration > Kerberos Image Text

You will assign that new Kerberos Server on your Access Profile under Access Policy ›› Access Profiles : Access Profiles List ›› YOUR_POLICY >> SSO / Auth Domains

0
Comment made 14-Sep-2017 by Pushpendu Biswas 53

Hi Rusty,

Thank you for your prompt response. But cant we inject this using iRule as some other variable and use Variable assign to map to login.last.password? I know in NetScaler we can do a traffic policy and then a profile by creating an SSO expression to pass the credentials from SAML to the backend apps.

However, if this is something not allowed by APM then its a different story.

0
Comment made 14-Sep-2017 by Rusty M 59

You can if you capture the password. If you do a saml redirect at login the user is actually logging into your IDP then redirecting back to the SP (F5) with a success token. The username and password never leave the IDP.

Pponte, I can see that working as long as your application trust the "token" provided by SAML to Kerberos. From what you listed you are saying once users pass SAML auth, allow them to access to applications if they are a member of, correct? This removes username/password from the equation but only works if your application will limit by group.

0
Comment made 14-Sep-2017 by Stanislas Piron 9545

Hi,

You can try this code

when ACCESS_POLICY_COMPLETED {
        set username [ACCESS::session data get session.saml.last.identity]
        set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]]        
        ACCESS::session data set session.sso.token.last.username $username
        ACCESS::session data set -secure session.sso.token.last.password $password
}
0
Comment made 14-Sep-2017 by Pushpendu Biswas 53

Thanks Piron. Ran into the same issue but I got it working in another way. Here is what I did:

  1. Changed the SAML attribute name from Password to some other - say example
  2. Got rid of the iRule and instead put a variable assign where

session.sso.token.last.username is mapped to session.saml.last.identity session.sso.token.last.password is mapped to session.saml.last.attr.name.example (the password attribute)

  1. Created a SSO NTLM method
  2. Added the NTLM method in the SSO configuration of the SAML Profile that I have.

I tested it from standalone machine (not added to the domain) in FFX, Chrome and IE and it works as expected.

Will need to do some further tests and check if the behavior is per client's requirement and satisfaction.

0
Comment made 15-Sep-2017 by Stanislas Piron 9545

I confirm variable assign may do the same as the irule I provided. (except SAML password is not base64 and you don't save password in a secure variable to prevent password included in logs)

variable assign is much better than irule when possible. But it is not recommended to provide password in SAML assertion.

Kerberos SSO is still the best solution when APM is SAML SP.

0
Comment made 15-Sep-2017 by Pushpendu Biswas 53

Hi Stan,

I totally agree with you. I am also against the idea of including passwords in SAML assertion as it defeats the purpose of federation as a whole.

Thanks for your help again, much appreciate.

0
Comment made 15-Sep-2017 by Stanislas Piron 9545

you are working with NTLM authentication, so the server is a AD domain member... why aren't you trying Kerberos instead?

0
Comment made 15-Sep-2017 by Pushpendu Biswas 53

That is the next use case. This was a POC that for NTLM SSO.

0
Comment made 18-Sep-2017 by Pushpendu Biswas 53

Stan,

What is the correct syntax of the b64decode when I want to put it in the variable assign? Should I use the expr or return? Can you kindly suggest?

expr {b64decode {mcget [session.saml.last.attr.name.some_encoded_attr]}}  

OR

return {b64decode {mcget [session.saml.last.attr.name.some_encoded_attr]}} 
0
Comment made 18-Sep-2017 by Stanislas Piron 9545

I'm not sure b64decode is available in variable assign...

but the mcget command is wrong

expr {b64decode [mcget {session.saml.last.attr.name.some_encoded_attr}]} 
  • mcget is a command and must be between brackets
  • variable called by mcget must be between curly brackets
0
Comment made 18-Sep-2017 by Pushpendu Biswas 53

Thanks Stan. It did not work from variable assign so I used an iRule to decode the parameter.

0
Comment made 18-Sep-2017 by Stanislas Piron 9545

The irule I provided had a bug in syntax.. I corrected it and it may work

0
Comment made 19-Sep-2017 by Pushpendu Biswas 53

Hi Stan,

Which iRule syntax are you referring to? The earlier one?

when ACCESS_POLICY_COMPLETED {
        set username [ACCESS::session data get session.saml.last.identity]
        set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]]        
        ACCESS::session data set session.sso.token.last.username $username
        ACCESS::session data set -secure session.sso.token.last.password $password
}
0